Wednesday, August 14, 2013

SIGCOMM2013: BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?

Presenter: Robert Lychev

Resource public key infrastructure (RPKI) is currently being deployed as a mechanism to secure BGP, enabling autonomous systems (ASes) to protected against prefix hijacks.  However, preventing against one hop hijacks requires BGPSEC, a newer BGP security mechanism that is currently being standardized.

Since BGPSEC will be incrementally deployed over time, it is important to understand what level of security is provided when BGPSEC is partially deployed.  When an AS's path selection policy prefers short paths over secure paths, BGPSEC will protect against protocol downgrade attacks (i.e., a secure AS with a secure route before an attack downgrades to an insecure bogus route following an attack).  When an AS prefers secure paths over shorter paths it cannot protect against protocol downgrade attacks, but it can protect against collateral damage attacks (i.e., a situation where having more ASes running BGPSEC results in to more ASes without BGPSEC choosing bogus routes).

A proposed metric for BGP security captures how many ASes are subject to attack.  An upper bound on this metric is the fraction of doomed ASes that always choose bogus routes, while a lower bound on this metric is the fraction of immune ASes that always choose legitimate routes.  Evaluation shows that, unless ASes prefer secure paths over long paths, or the fraction of ASes with BGPSEC is very large, the security benefits from partially deployed BGPSEC are meager.

Q: You only talk about BGPSEC but there are also other BGP security proposals.  Do these other mechanisms have similar issues?
A: We focused on BGPSEC because it is currently being standardized as a protocol that could run on top of RPKI and RPLI is currently being deployed.

Q: Your results are very interesting.  What are your suggestions for the people who are deploying?
A: The work is not intended to decide whether BGPSEC should or should not be deployed.  Our goal is to show the community the potential operational issues.  There is plenty or work that needs to be done to address these issues.

Q: Do you consider how to distribute the BGPSEC deployment within the network?
A: If you create islands of ASes which have deployed BGPSEC, then you can get more benefits from BGPSEC.